Bug 470857

Summary: SELinux policy prevents hplip_t type from reading cupsd_tmp_t files
Product: Red Hat Enterprise Linux 5 Reporter: keith.d.schincke
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.2CC: mmalik, syeghiay, twaugh
Target Milestone: rc   
Target Release: ---   
Hardware: ia64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 21:31:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description keith.d.schincke 2008-11-10 16:58:19 UTC 
Description of problem:
The SELinux policy prevents hplip_t type from reading cupsd_tmp_t files. 

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-137.1.el5_2
cups-1.2.4-11.18.el5_2.1
hplip-1.6.7-4.1.el5_2.4


How reproducible:
Very reproducible

Steps to Reproduce:
1. Ensure SELinux is enforcing
2. Configure a printer to use HP printer
3. Print
  
Actual results:
AVC deny messages:
audit.log.1:type=AVC msg=audit(1226095777.571:76702): avc:  denied  { read write } for  pid=13628 comm="hpijs" path="/tmp/gs_dhFKnK" dev=dm-3 ino=98418 scontext=user_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=user_u:object_r:cupsd_tmp_t:s0 tclass=file
audit.log.1:type=AVC msg=audit(1226095777.571:76702): avc:  denied  { read write } for  pid=13628 comm="hpijs" path="/tmp/gs_FVET5E" dev=dm-3 ino=98426 scontext=user_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=user_u:object_r:cupsd_tmp_t:s0 tclass=file


Expected results:
Successful printing

Additional info:
Here is a custom .te file I created to allow the needed access

policy_module(hplp_allow, 1.0.0 )

require {
	type hplip_t ;
	type cupsd_tmp_t ;

}

allow hplip_t cupsd_tmp_t:file { read write } ;
Comment 1 Daniel Walsh 2008-11-10 19:06:31 UTC 
Did the print job fail to print originally?  Or was there just avc's generated?

If it
Comment 2 keith.d.schincke 2008-11-10 20:11:30 UTC 
The print jobs were failing. 

However, the admin of the host has changed the queue configuration from Friday to today. It is now printing via lpd with out an issue. I am going to tape to see if I can obtain a copy of the non-working configuration.

Keith
Comment 3 Daniel Walsh 2008-11-10 20:14:29 UTC 
Fixed in selinux-policy-2.4.6-183.el5
Comment 4 Tim Waugh 2008-11-11 09:39:14 UTC 
(In reply to comment #2)
> I am going to tape to
> see if I can obtain a copy of the non-working configuration.

Yes please.
Comment 12 Daniel Walsh 2008-12-16 13:10:27 UTC 
Did the print job succeed?


If yes then this is probably a leaked file descriptor in cups.
Comment 13 Milos Malik 2008-12-16 13:26:55 UTC 
The print job succeeded.

<snip>

:: grep VirtPrinter5062 /var/log/cups/page_log ::
VirtPrinter5062 root 1 [15/Dec/2008:03:24:00 -0500] 1 1 - localhost
        * the page was printed <-- correct

</snip>

Thanks for explaining those magic AVCs to me. It means that I can change the bug to verified.
Comment 15 errata-xmlrpc 2009-01-20 21:31:27 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html